Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google’s “Sign in with Google” authentication system has left millions of Americans vulnerable to potential data theft.

This vulnerability mainly affects former employees of startups, especially those that have ceased operations.

According to Truffle Security, the root cause stems from how Google’s OAuth login interacts with domain ownership changes.

When a startup fails, and its domain becomes available for purchase, anyone who acquires that domain can potentially recreate email accounts for former employees.

While these recreated accounts cannot access old email data, they can be used to log into various SaaS products previously utilized by the organization.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

To demonstrate the severity of this issue, a security researcher purchased a defunct startup’s domain and successfully logged into multiple services, including:

• ChatGPT
• Slack
• Notion
• Zoom
• HR systems (containing social security numbers)

The most concerning breaches involved HR systems, which housed sensitive information such as tax documents, pay stubs, insurance details, and social security numbers.

Interview platforms also contained confidential data about candidate feedback and hiring decisions. Chat platforms exposed private messages and other sensitive communications.

The scale of this vulnerability is staggering:

• Approximately 6 million Americans currently work for tech startups
• 90% of tech startups eventually fail
• 50% of those startups rely on Google Workspaces for email

An analysis of Crunchbase’s startup dataset revealed over 100,000 domains from failed startups currently available for purchase.

Assuming an average of 10 employees per startup lifetime and 10 different SaaS services used, this vulnerability could potentially expose sensitive data from more than 10 million accounts.

The core of the problem lies in how service providers like Slack determine user authentication. They typically rely on two claims from Google’s OAuth: the HD (hosted domain) claim and the email claim.

The HD claim allows access to anyone from a specific domain, while the email claim logs users into their specific accounts. However, when domain ownership changes, these claims remain the same, granting new owners access to old employee accounts.

A potential solution proposed to Google involves implementing two immutable identifiers within its OpenID Connect (OIDC) claims:

1. A unique user ID that remains constant over time
2. A unique workspace ID tied to the domain

Despite the researcher reporting this vulnerability to Google’s security team, the initial response was to mark it as “Won’t fix.” It was only after the issue gained wider attention that Google reopened the case.

As of now, there is no comprehensive fix for this vulnerability. Downstream providers like Slack cannot fully protect against this issue unless Google implements the proposed OIDC claims.

Former employees of startups lose control over their data protection once they leave the company, leaving them at the mercy of the startup’s future and domain ownership.

This security flaw underscores the need for more robust authentication systems and highlights the potential risks associated with relying on third-party login services.

As the tech industry continues to evolve, it is crucial for companies like Google to address these vulnerabilities promptly to protect users’ sensitive information and maintain trust in their services.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!